Overview

Keep your SSH keys GPG-encrypted!

• You will need ssh-agent running. If you are a console user, or if X session doesn't start ssh-agent for you, add ssh.bashrc to your .bashrc.
• ssh-add is a wrapper script that, when run without arguments, adds your GPG-encrypted private SSH keys (~/.ssh/*.gpg) to the ssh-agent.

FAQ

Why don't just set passphrase in ssh-keygen?

• One passphrase for the GPG key is more manageable than N + 1 passphrases, especially when N, the number of SSH keys, is high.
• GPG-Agent's password entry UI is prettier that SSH's one.

What does the name stand for?

SSH keys protected by GnuPG, attempt #2

How to generate all them keys for all my Hosts?

# use a subdirectory for a clean ~/.ssh/
mkdir -p ~/.ssh/gpg.d/;
for SSHHOST in $(awk '/^Host / {print $2}'~/.ssh/config); do
   # with TOKEN %k you can use SSHHOST, with %h you will need to use
   # SSHHOSTNAME which might have twins as it can be a local ip /ö\
   # SSHHOSTNAME=$(ssh -G $SSHHOST|awk '/^hostname / {print $2}');
   SSHUSER=$(ssh -G $SSHHOST|awk '/^user / {print $2}');
   ssh-keygen -ted25519 -f ~/.ssh/gpg.d/$SSHUSER@$SSHHOST.ed25519 -C  $SSHUSER@$SSHHOST-$USER -P "";
done

And how the food could i encrypt them with ease?

# This could already be done during the generation tho ¯\_(ツ)_/¯
cd ~/.ssh/gpg.d/
ls |grep -v \.pub  |xargs gpg --encrypt-files <GPGKEYID>
ls |grep -v \.pub -v \.gpg |xargs rm

How could i put all them keys on the correct Host?

cd ~/.ssh/gpg.d; for PUB in *.pub; do
   RHOST=${PUB%.ed25519.pub};
   echo $RHOST; #just so we know..
   cat ~/.ssh/gpg.d/$PUB |ssh -o BatchMode=yes -T $RHOST "cat | tee -a ~/.ssh/authorized_keys";
done

And how do i use those Keys with IdentitiesOnly=yes?

IdentityFile %d/.ssh/gpg.d/%r@%k.ed25519 will work even w/o the actual key aslong as there is a .pub file.